CLAIMS 



What is claimed is: 

1. In a system that includes a user computer that communicates with a 
server computer over a network, a method for mitigating a cross-site scripting attack, 
the method comprising: 

receiving a request from a user computer, wherein the request includes 
data derived from an outside source; 

determining if the request from the user computer includes a marker of 
active content; and 

refraining from executing the request if the request includes the marker 
of active content. 

2. A method as defined in claim 1, wherein receiving a request from a user 
computer further comprises receiving an HTTP request from the user computer. 



3. 



A method as defined in claim 1, wherein receiving a request from a user 



computer further comprises at least one of: 




receiving one or more HTTP headers from the user computer. 



receiving a query string from the user computer; 



receiving an HTTP form from the user computer; and 



receiving a cookie from the user computer; 
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4. A method as defined in claim 3, wherein determining if the request from 
the user computer includes a marker of active content further comprises evaluating only 
a portion of the request that includes the data derived from an outside source. 



the user computer includes a marker of active content further comprises at least one of: 
searching the request for one or more character combinations that 
correspond to a script construct; 

searching the request for an event that includes a script construct; and 
searching the request for an expression that includes a script construct. 

6. A method as defined in claim 1, wherein determining if the request from 
the user computer includes a marker of active content further comprises searching the 
request for a pattern that indicates an unauthorized script. 

7. A method as defined in claim 1 , wherein refraining from executing the 



A method as defined in claim 1, wherein determining if the request from 



request if the request includes the marker of active content further comprises at least 




one of: 



requiring the user computer to re-submit the request. 



encoding a response that is delivered to the user computer; and 



generating an event that is logged at the server; 
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8. In a system that includes a user computer that communicates with a 
server computer over a network, wherein the server computer generates dynamic 
content based on input from the user computer, a method for mitigating a cross-site 
scripting attack such that data submitted to the server computer is not sent back to the 
user computer as script, the method comprising: 

receiving an HTTP request at a server computer, wherein the HTTP 
request includes input data that was not generated by the server computer; 

evaluating the HTTP request to determine if the input data includes a 
script construct, wherein the script construct indicates that HTTP request is part 
of a cross-site scripting attack; and 

preventing the cross-site scripting attack if the input data includes a 
script construct. 

9. A method as defined in claim 8, wherein receiving an HTTP request at a 
server computer further comprises at least one of: 



receiving a query string that includes at least one query string variable; 



receiving a cookie; 




receiving one or more form fields. 



receiving one or more headers in the HTTP request; and 
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10. A method as defined in claim 8, wherein evaluating the HTTP request to 
determine if the input data includes a script construct further comprises at least one of: 

searching the HTTP request for one or more character combinations that 
correspond to a script construct; 

searching the HTTP request for an event that includes a script construct; 

searching server variables that derive input data from another source; and 

searching the HTTP request for an expression that includes a script 
construct. 



11. A method as defined in claim 8, wherein evaluating the HTTP request to 
determine if the input data includes a script construct further comprises searching the 
input data for a script construct. 



12. A method as defined in claim 11, wherein searching the input data for a 
script construct further comprises searching for patterns associated with scripts. 
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14. A method as defined in claim 8, wherein preventing the cross-site 
scripting attack if the input data includes a script construct further comprises logging an 
event at the server computer. 
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15. A method as defined in claim 8, wherein preventing the cross-site 
scripting attack if the input data includes a script construct further comprises encoding 
the user input including the script construct to render the script inert. 

16. A method as defined in claim 8, wherein evaluating the HTTP request to 
determine if the input data includes a script construct further comprises evaluating the 
HTTP request to determine in the input data includes a marker of active content. 

17. A method as defined in claim 16, wherein evaluating the HTTP request 
to determine in the input data includes a marker of active content further comprises 
determining if the marker of active content is within a particular element, wherein the 
marker of active content is harmful only when rendered within the particular element. 
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18. In a system that includes a user computer that communicates with a 
server computer over a network, wherein the server computer generates dynamic 
content based on input from the user computer, a computer program product for 
implementing a method for mitigating a cross-site scripting attack such that input data 
submitted to the server computer is not sent back to the user computer as script, the 
computer program product comprising: 

a computer-readable medium having computer executable instructions 
for performing the method, the method comprising: 

receiving an HTTP request at a server computer, wherein the 
HTTP request includes input data that was not generated by the server 
computer; 

evaluating the HTTP request to determine if the input data 
includes a script construct that indicates a cross-site scripting attack; and 

preventing the cross-site scripting attack if the input data includes 
a script construct. 



19. A computer program product as defined in claim 18, wherein receiving 
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20. A computer program product as defined in claim 18, wherein evaluating 
the HTTP request to determine if the input data includes a script construct further 
comprises at least one of: 

searching the HTTP request for one or more character combinations that 
correspond to a script construct; 

searching the HTTP request for an event that includes a script construct; 
searching server variables that derive input data from another source; and 
searching the HTTP request for an expression that includes a script 
construct. 



21. A computer program product as defined in claim 18, wherein evaluating 
the HTTP request to determine if the input data includes a script construct further 
comprises searching the input data for a script construct. 
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22. A computer program product as defined in claim 21, wherein searching 
the input data for a script construct further comprises searching for patterns associated 
with scripts. 



O § £ £ £ 5 23. A computer program product as defined in claim 18, wherein preventing 

the cross-site scripting attack if the input data includes a script construct further 
comprises refraining from executing the HTTP request. 
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24. A computer program product as defined in claim 18, wherein preventing 
the cross-site scripting attack if the input data includes a script construct further 
comprises logging an event at the server computer. 

25. A computer program product as defined in claim 18, wherein preventing 
the cross-site scripting attack if the input data includes a script construct further 
comprises encoding the user input including the script construct to render the script 
inert. 
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